Security for Android Java Mobile Applications

Java offers an efficient framework for developing and deploying enterprise and server or client-side applications. However, Java bytecode being an interpreted language, contains highly detailed metadata and debugging information which is susceptible to tampering, reverse-engineering and piracy. Free decompilers can easily decompile Java applications into near-original source code, creating a number of vulnerabilities.

Types of Applications that Require Protection Include:

Java Mobile and Desktop Applications – Distributed applications that are written in Java are susceptible to static and dynamic analysis attacks. These applications suffer from the same inherent reverse engineering issues as mobile and desktop applications written in other languages except bytecode is even easier to decompile.

Web Applications with server side business logic – Thin client based web applications where logic in the Web/Business/System tier is susceptible to theft, malware insertion, unauthorized access to authentication credentials and keys.

Examples of Java Vulnerabilities include:

Reverse Engineering: Attackers can reverse engineer a bytecode file and decompile the code after it’s downloaded to the client. This enables IP theft as well as reverse engineering of security routines or other critical routines that can be found and exploited

Key and credential theft: Often secret keys or authentication credentials are hardcoded into components. These are quite simple to identify, and can then be abused to launch attacks on your server

Easy decompilation: As an interpreted language, Java is very easy to decompile. A number of free and low-cost decompilers are widely available and automatically process bytecode to produce amazingly readable source code. Hackers can quickly decompile your bytecode, modify it to implement hacks or create counterfeits, and recompile – resulting in a hacked version of your original application

Arxan’s Solution for Java Mobile Applications

Arxan’s GuardIT® protects critical functions of an application by combining advanced encryption and obfuscation with Guards® that are manipulating the bytecode. GuardIT® for Java is based on patented technology that features various advanced obfuscation techniques. The creation of customized GuardSpec guides the insertion of various layers of protection for your Intellectual Property

In today’s threat environment enterprises need resilient protection of their Java application layer in order to:

Core Features

Many Java obfuscation solutions largely rely on string encryption and variable renaming to prevent comprehensive disassembly of code. However, given the current sophisticated attack landscape, such superficial measures are easily circumvented; giving rise to the myth that Java cannot be secured.

Control Flow Obfuscation. This advanced obfuscation technique breaks the correlation between byte code and semantically meaningful source code constructs. This degrades the results of decompilation, this preventing recovery of Java source code and protecting applications against reverse engineering. Many low-cost obfuscators rely on select tactics to break popular decompilers. In contrast, GuardIT for Java leverages language-level properties to implement reliable, long-lived protection that is not hostage to an arms race between a protection solution and decompiler enhancements.

String Encryption and Variable Renaming. These commonly used techniques remove semantically meaningful variable names, strings and thus, context, from the code. This provides an additional measure of defense against decompilation and reverse engineering.

Developer-Friendly. GuardIT for Java directly protects compiled class files. It is integrated with popular development environments including Eclipse, IBM RAD and Ant. It is also accessible as a command line tool. Protection is easy as ‘point-and-click’ for rapid, hassle-free deployment.

Guards at work to protect Java 24/7:

GuardIT leverages thousands of guard instances, of many types, to comprehensively safeguard your applications against tampering, piracy and any manner of theft. The following table summarizes the types of Guards for Java, and the functions performed by each of them.

The functions performed by each of these Guards is described below:

Class of Defense

Guard Type

Function

DEFEND

Obfuscation

Transforms programs into code that’s difficult to disassemble and understand, but has the same functionality as the original

Renaming

Renames the symbols in the protected application to nonsense strings

String Encryption

Encrypts string literals and decryption at run-time

Debug Info

Strips debug info from the final, protected binary

Class Encryption

Encrypts input class files at protection time and restores them to their pre-encrypted state at runtime before they are loaded

Call Hiding

Uses Java reflection to hide method calls

Resource Encryption

Encrypts user‐identified resources in the Android APK

DETECT

Debugger Detection

Detects whether a program has been executing in a debugging environment

Checksum

Detects whether a program has been modified by computing a checksum within a specified range

Resource Verification

Verifies resource files or shared library in the APK, at run-time, have not been altered or tampered

Hook Detection

Detects whether an attacker has overridden a called function that resides in a system library or within the application

Root Detection

Determines whether the device on which the application is running is rooted

Following exhibit summarizes the process of transforming unprotected application into a protected application using GuardIT® for Java:

Arxan offers solutions for software running on mobile devices, desktops, servers, and embedded platforms – including those connected as part of the Internet of Things (IOT) – and is currently protecting applications running on more than 400 million devices across a range of industries.